Deployed bytecode matches signed release tag

Superstate's assessment for RD-F-136 — scored yellow on the v1.7.0 rubric. The evidence below is the curator's reasoning for this score.

Evidence summary #

GitHub superstateinc/ustb does not publish formal signed release tags for each deployed version. Last public commit is 2025-04-14 (data-cache). The July 2025 upgrade to SuperstateTokenV5_1 (block 22933833) post-dates the last known public GitHub commit; if deployed from a private branch, bytecode reproducibility from public repo is unverifiable for the current live implementation. Etherscan shows exact-match verification for deployed contracts, providing partial assurance, but no signed git tag provides a cryptographic anchor between source and deployed bytecode.

Sources #

Etherscan
SuperstateTokenV5_1 Etherscan VerificationSuperstateTokenV5_1 0x1f50a1EE: Etherscan exact-match verified but deployed July 2025 post-dating last public GitHub commitretrieved 2026-05-16
GitHub
Superstate USTB GitHub Repo - No Signed Release Tagssuperstateinc/ustb: no signed release tags found; last public commit 2025-04-14retrieved 2026-05-16

Methodology #

Determine whether the deployed runtime bytecode corresponds to a signed git tag in the protocol's repository.

See the full factor methodology and distribution across all protocols →

rubric_version v1.7.0 protocol superstate factor RD-F-136 score yellow collected_at 2026-05-16 00:06:37